Skip to content

Commit

Permalink
Merge branch 'sslscan2'
Browse files Browse the repository at this point in the history
  • Loading branch information
rbsec committed Feb 22, 2020
2 parents 8f73bf0 + 6c18eb4 commit 2e8848b
Show file tree
Hide file tree
Showing 49 changed files with 5,431 additions and 578 deletions.
6 changes: 2 additions & 4 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
sudo: required
dist: trusty
dist: bionic
language: c

before_install:
Expand All @@ -9,8 +9,6 @@ before_install:
script:
- make sslscan CC=clang
- make sslscan CC=gcc
# OpenSSL can't be compiled out-of-the box with clang, see
# http://wiki.openssl.org/index.php/Compilation_and_Installation#Modifying_Build_Settings
#- make static CC=clang
- make static CC=clang
- make static CC=gcc
- make -f Makefile.mingw
12 changes: 12 additions & 0 deletions Changelog
Original file line number Diff line number Diff line change
@@ -1,6 +1,18 @@
Changelog
=========

Version: 2.0.0-alpha1
Date : 22/02/2020
Author : rbsec <robin@rbsec.net>
Changes: The following are a list of changes
> Major rewrite of backend scanning code.
> Support for additional cipher suites.
> Support for TLSv1.3
> Support for SSLv2 and SSLv3 protocol detection regardless of
OpenSSL.
> Checks for server key exchange groups.
> Checks for server signature algorithms.

Version: 1.11.13
Date : 24/03/2019
Author : rbsec <robin@rbsec.net>
Expand Down
36 changes: 22 additions & 14 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ BINDIR = $(PREFIX)/bin
MANDIR = $(PREFIX)/share/man
MAN1DIR = $(MANDIR)/man1

WARNINGS = -Wall -Wformat=2 -Wformat-security
WARNINGS = -Wall -Wformat=2 -Wformat-security -Wno-deprecated-declarations
DEFINES = -DVERSION=\"$(GIT_VERSION)\"

# for dynamic linking
Expand All @@ -49,10 +49,7 @@ CFLAGS += -D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIE
# Don't enable some hardening flags on OS X because it uses an old version of Clang
ifneq ($(OS), Darwin)
ifneq ($(OS), SunOS)
# Cygwin's linker does not support -z option.
ifneq ($(findstring CYGWIN,$(OS)),CYGWIN)
LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
endif
LDFLAGS += -pie -z relro -z now
endif
endif

Expand All @@ -61,7 +58,7 @@ ifeq ($(STATIC_BUILD), TRUE)
PWD = $(shell pwd)/openssl
LDFLAGS += -L${PWD}/
CFLAGS += -I${PWD}/include/ -I${PWD}/
LIBS = -lssl -lcrypto -lz
LIBS = -lssl -lcrypto -lz -lpthread
ifneq ($(OS), FreeBSD)
LIBS += -ldl
endif
Expand All @@ -75,6 +72,14 @@ LDFLAGS += -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/opt/openssl/lib
CFLAGS += -I/usr/local/include -I/usr/local/ssl/include -I/usr/local/ssl/include/openssl -I/usr/local/opt/openssl/include -I/opt/local/include -I/opt/local/include/openssl
endif

# Find the number of processors on the system (used in -j option in building OpenSSL).
# Uses /usr/bin/nproc if available, otherwise defaults to 1.
NUM_PROCS = 1
ifneq (,$(wildcard /usr/bin/nproc))
NUM_PROCS = `/usr/bin/nproc --all`
endif


.PHONY: all sslscan clean install uninstall static opensslpull

all: sslscan
Expand Down Expand Up @@ -114,28 +119,31 @@ uninstall:
true
opensslpull:
if [ -d openssl -a -d openssl/.git ]; then \
cd ./openssl && git checkout OpenSSL_1_0_2-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \
cd ./openssl && git checkout OpenSSL_1_1_1-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \
else \
git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/PeterMosmans/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
git clone --depth 1 -b OpenSSL_1_1_1-stable https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
fi

# Need to build OpenSSL differently on OSX
ifeq ($(OS), Darwin)
openssl/Makefile: .openssl.is.fresh
cd ./openssl; ./Configure -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC enable-ssl2 enable-weak-ssl-ciphers zlib darwin64-x86_64-cc
cd ./openssl; ./Configure -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC enable-weak-ssl-ciphers zlib darwin64-x86_64-cc
# Any other *NIX platform
else
openssl/Makefile: .openssl.is.fresh
cd ./openssl; ./config -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC no-shares enable-weak-ssl-ciphers enable-ssl2 zlib
cd ./openssl; ./config -v -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC no-shared enable-weak-ssl-ciphers zlib
endif

openssl/libcrypto.a: openssl/Makefile
$(MAKE) -C openssl depend
$(MAKE) -C openssl all
$(MAKE) -C openssl test
$(MAKE) -j $(NUM_PROCS) -C openssl depend
$(MAKE) -j $(NUM_PROCS) -C openssl all
# $(MAKE) -j $(NUM_PROCS) -C openssl test # Disabled because this takes 45+ minutes for OpenSSL v1.1.1.

static: openssl/libcrypto.a
$(MAKE) sslscan STATIC_BUILD=TRUE
$(MAKE) -j $(NUM_PROCS) sslscan STATIC_BUILD=TRUE

test: static
./docker_test.sh

clean:
if [ -d openssl ]; then ( rm -rf openssl ); fi;
Expand Down
8 changes: 4 additions & 4 deletions Makefile.mingw
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,8 @@ SECURITY_OPTIONS=-fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-sec
# Turn on linker optimizations, and DEP support (--nxcompat)
LINK_OPTIONS=-Wl,-O1 -Wl,--discard-all -Wl,--no-undefined -Wl,--dynamicbase -Wl,--nxcompat -static

CFLAGS += -Iopenssl_mingw/include -D__USE_GNU
LDFLAGS += -lws2_32 -lgdi32
CFLAGS += -Iopenssl_mingw/include -D__USE_GNU -DOPENSSL_NO_SSL2 -Wno-deprecated-declarations
LDFLAGS += -lws2_32 -lgdi32 -lcrypt32

# Set the version string for the program.
VERSION = "$(shell grep -E -o -m 1 "[0-9]+\.[0-9]+\.[0-9]+" Changelog) Windows $(ARCHITECTURE) (Mingw)"
Expand All @@ -71,9 +71,9 @@ zlibpull:

opensslpull:
if [ -d openssl_mingw -a -d openssl_mingw/.git ]; then \
cd ./openssl_mingw && git checkout OpenSSL_1_0_2-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl_mingw.is.fresh ] || touch ../.openssl_mingw.is.fresh ; \
cd ./openssl_mingw && git checkout OpenSSL_1_1_1-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl_mingw.is.fresh ] || touch ../.openssl_mingw.is.fresh ; \
else \
git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/PeterMosmans/openssl ./openssl_mingw && cd ./openssl_mingw && touch ../.openssl_mingw.is.fresh ; \
git clone --depth 1 -b OpenSSL_1_1_1-stable https://github.com/openssl/openssl ./openssl_mingw && cd ./openssl_mingw && touch ../.openssl_mingw.is.fresh ; \
fi

zlib_mingw/libz.a: zlibpull
Expand Down
22 changes: 22 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,25 @@
# sslscan2

An alpha build of sslscan 2 has been merged into master. If you want the old code,
the tag [1.11.11-rbsec](https://github.com/rbsec/sslscan/tree/1.11.11-rbsec) was the last release in that branch.

The main changes in sslscan2 is a major rewrite of the backend scanning code,
which means that it is no longer reliant on the version of OpenSSL for many checks.
This means that it is possible to support legacy protocols (SSLv2 and SSLv3), as well
as supporting TLSv1.3 - regardless of the version of OpenSSL that it has been compiled against.

This has been made possible largely by the work of [jtesta](https://github.com/jtesta), who has been
responsible for most of the backend rewrite.

Other key changes include:

* Enumeration of server key exchange groups.
* Enumeration of server signature algorithms.
* SSLv2 and SSLv3 protocol support it scanned, but individual ciphers are not.
* A test suite is included using Docker, to verify that sslscan is functionality correctly.

There are likely to be bugs in this version, so please report any that you encounter.

# README

[![Build Status](https://travis-ci.org/rbsec/sslscan.svg?branch=master)](https://travis-ci.org/rbsec/sslscan)
Expand Down
Loading

0 comments on commit 2e8848b

Please sign in to comment.